NHSDigital
diff --git a/‎.github/workflows/deploy-prod.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/deploy-prod.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/deploy-sandbox.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/deploy-sandbox.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/deploy-test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/deploy-test.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎base_iam/iam_github_actions_role.tf‎
Lines changed: 66 additions & 0 deletions b/‎base_iam/iam_github_actions_role.tf‎
Lines changed: 66 additions & 0 deletions
@@ -24,7 +24,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: refs/tags/${{ github.event.inputs.git_tag}}
+          ref: refs/tags/${{ github.event.inputs.git_tag }}
           fetch-depth: "0"
 
       - name: Apply base_iam
@@ -48,7 +48,7 @@ jobs:
       - name: Checkout Tag
         uses: actions/checkout@v6
         with:
-          ref: refs/tags/${{ inputs.git_tag}}
+          ref: refs/tags/${{ inputs.git_tag }}
           fetch-depth: "0"
 
       - name: Apply Main
 
@@ -96,7 +96,7 @@ jobs:
         uses: ./.github/actions/tf-plan-apply
         with:
           # use newly created role
-          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name}}-github-actions-role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name }}-github-actions-role
           bucket_prefix: "dev"
           aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
           aws_region: ${{ vars.AWS_REGION }}
@@ -120,7 +120,7 @@ jobs:
         uses: ./.github/actions/tf-plan-apply
         with:
           # use newly created role
-          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name}}-github-actions-role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name }}-github-actions-role
           bucket_prefix: "dev"
           aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
           aws_region: ${{ vars.AWS_REGION }}
 
@@ -24,7 +24,7 @@ jobs:
       - name: Checkout branch
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.git_ref}}
+          ref: ${{ inputs.git_ref }}
 
       - name: Apply base_iam
         uses: ./.github/actions/tf-plan-apply
@@ -47,7 +47,7 @@ jobs:
       - name: Checkout main
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.event.inputs.git_ref}}
+          ref: ${{ github.event.inputs.git_ref }}
 
       - name: Apply Main
         uses: ./.github/actions/tf-plan-apply
 
@@ -0,0 +1,66 @@
+resource "aws_iam_role" "github_actions" {
+  name                  = "${terraform.workspace}-github-actions-role"
+  description           = "This role provides access for GitHub Actions to the ${terraform.workspace} environment. "
+  force_detach_policies = false
+  max_session_duration  = 3600
+  name_prefix           = null
+  path                  = "/"
+  permissions_boundary  = null
+  tags                  = {}
+  assume_role_policy = local.is_sandbox_or_dev ? jsonencode(
+    {
+      Statement = [
+        {
+          Action = "sts:AssumeRoleWithWebIdentity"
+          Condition = {
+            StringEquals = {
+              "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+            }
+            StringLike = {
+              "token.actions.githubusercontent.com:sub" = [
+                "repo:NHSDigital/national-document-repository-infrastructure:*",
+                "repo:NHSDigital/national-document-repository:*",
+              ]
+            }
+          }
+          Effect = "Allow"
+          Principal = {
+            Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+          }
+        },
+        {
+          Action = "sts:AssumeRole"
+          Effect = "Allow"
+          Principal = {
+            AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e"
+          }
+        },
+      ]
+      Version = "2012-10-17"
+    }
+    ) : jsonencode(
+    {
+      Statement = [
+        {
+          Action = "sts:AssumeRoleWithWebIdentity"
+          Condition = {
+            StringEquals = {
+              "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+            }
+            StringLike = {
+              "token.actions.githubusercontent.com:sub" = [
+                "repo:NHSDigital/national-document-repository-infrastructure:*",
+                "repo:NHSDigital/national-document-repository:*",
+              ]
+            }
+          }
+          Effect = "Allow"
+          Principal = {
+            Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+          }
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}